297 lines
9.2 KiB
HTML
297 lines
9.2 KiB
HTML
<!DOCTYPE html>
|
|
<html lang="en">
|
|
<head>
|
|
<meta charset="UTF-8">
|
|
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
|
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self'; font-src 'self' data:; img-src 'self' data:; connect-src 'self'; base-uri 'self'; form-action 'self' https://defcon.social https://bsky.app;">
|
|
<meta http-equiv="X-Content-Type-Options" content="nosniff">
|
|
<link rel="stylesheet" href="../assets/css/style.css">
|
|
<link rel="icon" type="image/x-icon" href="../favicon.ico">
|
|
<script>
|
|
// Apply theme immediately to prevent flash
|
|
(function() {
|
|
const theme = localStorage.getItem('theme') ||
|
|
(window.matchMedia && window.matchMedia('(prefers-color-scheme: dark)').matches ? 'dark' : 'light');
|
|
document.documentElement.setAttribute('data-theme', theme);
|
|
})();
|
|
</script>
|
|
<title>snort Cheatsheet - Cheatsheets - Launch Pad</title>
|
|
</head>
|
|
<body>
|
|
<button class="theme-toggle" id="themeToggle" aria-label="Toggle dark mode">
|
|
<svg class="theme-icon theme-icon-moon" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M21 12.79A9 9 0 1 1 11.21 3 7 7 0 0 0 21 12.79z"></path></svg>
|
|
<svg class="theme-icon theme-icon-sun" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" style="display: none;"><circle cx="12" cy="12" r="5"></circle><line x1="12" y1="1" x2="12" y2="3"></line><line x1="12" y1="21" x2="12" y2="23"></line><line x1="4.22" y1="4.22" x2="5.64" y2="5.64"></line><line x1="18.36" y1="18.36" x2="19.78" y2="19.78"></line><line x1="1" y1="12" x2="3" y2="12"></line><line x1="21" y1="12" x2="23" y2="12"></line><line x1="4.22" y1="19.78" x2="5.64" y2="18.36"></line><line x1="18.36" y1="5.64" x2="19.78" y2="4.22"></line></svg>
|
|
</button>
|
|
<br/><br/>
|
|
<div class="name">
|
|
__ _______________________ _________._________________________
|
|
\_ _____/ \______ \ / _ \ / _____/ / _____/ | | \_ _____/
|
|
| __) | _/ / /_\ \ / \ ___ / \ ___ | | | __)_
|
|
| \ | | \ / | \ \ \_\ \ \ \_\ \ | |___ | \
|
|
\___ / |____|_ / \____|__ / \______ / \______ / |_______ \ /_______ /
|
|
\/ \/ \/ \/ \/ \/ \/
|
|
</div>
|
|
<div class="blog-page-header">
|
|
<div class="blog-header-content">
|
|
<a href="/cheatsheets" class="back-link" title="Back to Cheatsheets">
|
|
<svg xmlns="http://www.w3.org/2000/svg" width="42" height="42" viewBox="0 0 24 24" class="home-icon"><path fill="currentColor" d="M10 20v-6h4v6h5v-8h3L12 3 2 12h3v8z"/></svg>
|
|
</a>
|
|
<h1 class="blog-page-title">snort Cheatsheet</h1>
|
|
</div>
|
|
</div>
|
|
<div class="blog-post-container">
|
|
<div class="blog-posts-container" style="max-width: 900px; margin: 0 auto;">
|
|
<div class="blog-post">
|
|
<div class="blog-post-content">
|
|
<p><a href="index.html">← Back to cheatsheets</a></p>
|
|
<p><a href="../index.html">← Home</a></p>
|
|
<hr>
|
|
<p>snort is an open-source intrusion detection system (IDS) and intrusion prevention system (IPS).</p>
|
|
<hr>
|
|
<h2>Basic Commands</h2>
|
|
<ul>
|
|
<li>snort -V - Show version</li>
|
|
</ul>
|
|
<ul>
|
|
<li>snort --version - Show version (alternative)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>snort -h - Show help/options</li>
|
|
</ul>
|
|
<ul>
|
|
<li>snort -T - Test configuration (syntax check)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>snort -T -c <config> - Test specific config file</li>
|
|
</ul>
|
|
<ul>
|
|
<li>snort -c <config> - Use specific config file</li>
|
|
</ul>
|
|
<ul>
|
|
<li>snort -i <interface> - Run on interface</li>
|
|
</ul>
|
|
<ul>
|
|
<li>snort -i eth0 -c <config> - Run on eth0 with config</li>
|
|
</ul>
|
|
<ul>
|
|
<li>snort -l <dir> - Log to directory</li>
|
|
</ul>
|
|
<ul>
|
|
<li>snort -r <pcap> - Read from pcap file</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Alert Modes</h2>
|
|
<ul>
|
|
<li>snort -A console - Console alert mode</li>
|
|
</ul>
|
|
<ul>
|
|
<li>snort -A fast - Fast alert mode</li>
|
|
</ul>
|
|
<ul>
|
|
<li>snort -A full - Full alert mode</li>
|
|
</ul>
|
|
<ul>
|
|
<li>snort -A unsock - Unix socket alert mode</li>
|
|
</ul>
|
|
<ul>
|
|
<li>snort -A none - No alerts</li>
|
|
</ul>
|
|
<ul>
|
|
<li>snort -A cmg - CMG alert mode</li>
|
|
</ul>
|
|
<ul>
|
|
<li>snort -A alert_json - JSON alert mode</li>
|
|
</ul>
|
|
<ul>
|
|
<li>snort -q - Quiet mode (suppress banner)</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Rule Writing</h2>
|
|
<h3>Rule Structure</h3>
|
|
<pre><code>action protocol src_ip src_port -> dst_ip dst_port ( options )</code></pre>
|
|
<h3>Example Rules</h3>
|
|
<pre><code># Alert on HTTP traffic
|
|
alert tcp any any -> 192.168.1.0/24 80 ( msg:"HTTP Traffic Detected"; flow:to_server,established; sid:100001; )
|
|
|
|
# Alert on suspicious port scan
|
|
alert tcp any any -> 192.168.1.0/24 any ( flags:S; msg:"Possible Port Scan"; threshold:type threshold, track by_src, count 10, seconds 60; sid:100002; )
|
|
|
|
# Alert on ICMP ping
|
|
alert icmp any any -> any any ( msg:"ICMP Ping Detected"; icode:0; itype:8; sid:100003; )</code></pre>
|
|
<h3>Rule Options</h3>
|
|
<ul>
|
|
<li>msg:"text" - Alert message</li>
|
|
</ul>
|
|
<ul>
|
|
<li>sid:number - Rule ID (must be unique)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>rev:number - Revision number</li>
|
|
</ul>
|
|
<ul>
|
|
<li>content:"string" - Search for string in payload</li>
|
|
</ul>
|
|
<ul>
|
|
<li>flags:S - TCP SYN flag</li>
|
|
</ul>
|
|
<ul>
|
|
<li>flow:to_server,established - Flow direction and state</li>
|
|
</ul>
|
|
<ul>
|
|
<li>threshold:type threshold, track by_src, count N, seconds M - Threshold</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Configuration</h2>
|
|
<h3>Config File Locations</h3>
|
|
<ul>
|
|
<li>/etc/snort/snort.conf - Main config (Snort 2)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>/etc/snort/snort.lua - Main config (Snort 3)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>/etc/snort/rules/ - Rules directory</li>
|
|
</ul>
|
|
<ul>
|
|
<li>/etc/snort/snort_defaults.lua - Defaults (Snort 3)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>~/.snort/ - User config directory</li>
|
|
</ul>
|
|
<h3>Example snort.conf (Snort 2)</h3>
|
|
<pre><code># Network variables
|
|
var HOME_NET 192.168.1.0/24
|
|
var EXTERNAL_NET !$HOME_NET
|
|
|
|
# Include rules
|
|
include $RULE_PATH/local.rules
|
|
include $RULE_PATH/community.rules</code></pre>
|
|
<h3>Example snort.lua (Snort 3)</h3>
|
|
<pre><code>-- Network variables
|
|
HOME_NET = '192.168.1.0/24'
|
|
EXTERNAL_NET = '!HOME_NET'
|
|
|
|
-- Include rules
|
|
ips = {
|
|
include = 'malware.rules',
|
|
include = 'exploit.rules',
|
|
}</code></pre>
|
|
<h3>Include Rules</h3>
|
|
<ul>
|
|
<li>Include single rule file: -R <file></li>
|
|
</ul>
|
|
<ul>
|
|
<li>Include rule directory: --rule-path <dir></li>
|
|
</ul>
|
|
<ul>
|
|
<li>Enable built-in rules: --lua 'ips.enable_builtin_rules = true'</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Logging and Output</h2>
|
|
<ul>
|
|
<li>snort -l /var/log/snort - Log to directory</li>
|
|
</ul>
|
|
<ul>
|
|
<li>snort -r snort.log - Read from log file</li>
|
|
</ul>
|
|
<ul>
|
|
<li>snort -r snort.log 'udp and port 53' - Read with BPF filter</li>
|
|
</ul>
|
|
<ul>
|
|
<li>snort -K ascii - Log in ASCII mode</li>
|
|
</ul>
|
|
<ul>
|
|
<li>snort -K pcap - Log in pcap mode</li>
|
|
</ul>
|
|
<ul>
|
|
<li>snort -K none - No packet logging</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Advanced Options</h2>
|
|
<ul>
|
|
<li>snort -D - Run as daemon</li>
|
|
</ul>
|
|
<ul>
|
|
<li>snort -d - Dump application layer</li>
|
|
</ul>
|
|
<ul>
|
|
<li>snort -e - Show layer 2 headers</li>
|
|
</ul>
|
|
<ul>
|
|
<li>snort -v - Verbose mode</li>
|
|
</ul>
|
|
<ul>
|
|
<li>snort -X - Show raw packet data</li>
|
|
</ul>
|
|
<ul>
|
|
<li>snort -N - Disable logging</li>
|
|
</ul>
|
|
<ul>
|
|
<li>snort -s - Log alerts to syslog</li>
|
|
</ul>
|
|
<ul>
|
|
<li>snort -S <file> - Log alerts to file</li>
|
|
</ul>
|
|
<ul>
|
|
<li>snort -u <user> - Run as user</li>
|
|
</ul>
|
|
<ul>
|
|
<li>snort -g <group> - Run as group</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Configuration Conversion</h2>
|
|
<ul>
|
|
<li>snort2lua -c snort.conf - Convert Snort 2 config to Snort 3 (Lua)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>snort2lua -c snort.conf -o output.lua - Convert with output file</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Tips</h2>
|
|
<ul>
|
|
<li>Use quiet mode (-q) when combining with alert modes (-A) to avoid clutter</li>
|
|
</ul>
|
|
<ul>
|
|
<li>When writing rules, always include a unique sid and rev</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Test new or modified rules against pcaps before deployment</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Keep snort updated - rulesets are updated frequently</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Monitor performance - many rules with deep payload inspection can increase load</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Use -T flag to test configuration before deploying</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Test rules with -r <pcap> to verify they work as expected</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Use BPF filters to reduce processing load on high-traffic networks</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Snort 3 uses Lua configuration, Snort 2 uses traditional config files</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Use threshold rules to reduce false positives from noisy alerts</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Organize rules into separate files by category for easier management</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Review alert logs regularly to tune rules and reduce false positives</li>
|
|
</ul>
|
|
<hr>
|
|
<p><a href="index.html">← Back to cheatsheets</a></p>
|
|
<p><a href="../index.html">← Home</a></p>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<script async type="text/javascript" src="../blog/analytics.js"></script>
|
|
<script src="../theme.js"></script>
|
|
</body>
|
|
</html> |